b"         OFFICE OF INSPECTOR GENERAL \n\n\n\n\n                                  Catalyst for Improving the Environment\n\n\nAudit Report\n\n\n\n       EPA Could Improve Physical\n       Access and Service\n       Continuity/Contingency Controls\n       for Financial and Mixed-Financial\n       Systems Located at its Research\n       Triangle Park Campus\n       Report No. 2006-P-00005\n\n       December 14, 2005\n\x0c                        U.S. Environmental Protection Agency                                            2006-P-00005\n\n                                                                                                    December 14, 2005\n\n                        Office of Inspector General\n\n\n                        At a Glance \n\n                                                                            Catalyst for Improving the Environment\n\n\nWhy We Did This Review             EPA Could Improve Physical Access and\nWe sought to determine             Service Continuity/Contingency Controls for\nwhether the U.S.                   Financial and Mixed-Financial Systems Located\nEnvironmental Protection\nAgency\xe2\x80\x99s (EPA) current             at its Research Triangle Park Campus\nphysical access and service\ncontinuity/contingency              What KPMG Found\ncontrols for selective\napplications at the Research       Physical Access. Controls needed to be improved in areas such as visitor access\nTriangle Park (RTP) campus\n                                   to facilities, use of contractor access badges, and general physical access to the\nadhere to Federal and EPA\nguidelines.                        National Computer Center (NCC), computer rooms outside the NCC, and media\n                                   storage rooms.\nBackground\n                                   Service Continuity/Contingency. Controls needed to be improved in areas such\nThe Office of Inspector            as completing a Business Impact Analysis, application contingency plans,\nGeneral (OIG) contracted with      authorizing to move backup data between key facilities, and environmental\nKPMG, LLP, to audit physical       controls.\naccess controls and service\ncontinuity/contingency             In many cases, EPA has in place compensating controls that help reduce the risk\nplanning controls for select       of the above issues. However, KPMG believes that controls can be improved to\nfinancial and mixed-financial      further reduce the risks.\nsystems hosted at EPA\xe2\x80\x99s RTP\ncampus. Physical access             What KPMG Recommends\ncontrols protect EPA\xe2\x80\x99s\nresources from unauthorized        KPMG recommends that EPA\naccess, theft, or destruction.\n                                     \xe2\x80\xa2\t Improve controls, processes, and procedures related to physical access to\nService continuity/\n                                        the RTP campus and associated facilities.\ncontingency controls ensure\nthat EPA can continue                \xe2\x80\xa2\t Improve controls, processes, and procedures related to moving tape\noperations of critical financial        backups between key facilities.\nand mixed-financial                  \xe2\x80\xa2\t Provide additional training regarding physical access and service \n\napplications should an outage           continuity planning. \n\noccur.                               \xe2\x80\xa2\t Revisit the service continuity strategies for key applications to ensure that\n                                        all necessary recovery strategies and efforts are ranked in terms of\nFor further information,\ncontact our Office of                   priority, then developed, documented, implemented, and tested.\nCongressional and Public             \xe2\x80\xa2\t Improve environmental controls at key RTP facilities.\nLiaison at (202) 566-2391.\n\nTo view the full report,\nclick on the following link:\n\nwww.epa.gov/oig/reports/2006/\n20051214-2006-P-00005.pdf\n\x0c                     UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                  WASHINGTON, D.C. 20460\n\n\n                                                                                   OFFICE OF \n\n                                                                              INSPECTOR GENERAL\n\n\n\n\n                                     December 14, 2005\n\nMEMORANDUM\n\nSUBJECT:             EPA Could Improve Physical Access and Service Continuity/Contingency\n                     Controls for Financial and Mixed-Financial Systems Located at its\n                     Research Triangle Park Campus\n                     Report No. 2006-P-00005\n\nFROM:                Rudolph M. Brevard /s/\n                     Director, Information Technology Audits\n\nTO:                  Kimberly T. Nelson\n                     Assistant Administrator for Environmental Information\n                       and Chief Information Officer\n\n                     Luis A. Luna\n                     Assistant Administrator for Administration and\n                       Resources Management\n\n                     Lyons Gray\n                     Chief Financial Officer\n\n                     George M. Gray, Ph.D.\n                     Assistant Administrator for Research\n                       and Development\n\n                     Thomas P. Dunne\n                     Acting Assistant Administrator for Solid Waste\n                       and Emergency Response\n\n\nThis is the final report on physical access and service contingency/continuity controls audit\nconducted by KPMG, LLP, on behalf of the Office of Inspector General (OIG) of the U.S.\nEnvironmental Protection Agency (EPA). This audit report contains findings that describe areas\nof improvements that KPMG consultants have identified and corrective actions that KPMG\nrecommends.\n\x0c                                                2\n\n\n\nThis audit report represents the opinion of KPMG and the findings in this audit report do not\nnecessarily represent the final EPA position. EPA managers, in accordance with established\nEPA audit resolution procedures, will make final determinations on matters in this audit report.\n\nThe OIG reviewed KPMG\xe2\x80\x99s report and related documentation and inquired of their\nrepresentatives and found no instances where KPMG did not comply, in all material respects,\nwith Generally Accepted Government Auditing Standards.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 90 calendar days of the date of this report. You should include a corrective action\nplan for agreed upon actions, including milestone dates. We have no objection to further release\nof this report to the public. For your convenience, this report will be available at\nhttp://www.epa.gov/oig.\n\nIf you or your staff has any questions regarding this report, please contact me at (202) 566-0893,\nor Charles Dade, Assignment Manager, at (202) 566-2575.\n\x0cFinal Audit Report\n\n\n\n\nEPA Could Improve Physical Access\nand Service Continuity/Contingency\nControls for Financial and Mixed-\nFinancial Systems Located at its\nResearch Triangle Park Campus\n\nReport No. 2006-P-00005\n\nDecember 14, 2005\n\x0cKey Abbreviations Used in this Report\n\n\nBIA          Business Impact Analysis\n\nCIO          Chief Information Officer\n\nDRS          Disaster Recovery Services\n\nEPA          Environmental Protection Agency\n\nFISMA        Federal Information Security Management Act\n\nFISCAM       Federal Information Systems Control Audit Manual\n\nNCC          National Computer Center\n\nNIST         National Institute of Standards and Technology\n\nOARM         Office of Administration and Resources and Management\n\nOCFO         Office of the Chief Financial Officer\n\nOEI          Office of Environmental Information\n\nOIG          Office of Inspector General\n\nOMB          Office of Management and Budget\n\nOTOP         Office of Technology Operations and Planning\n\nRTP          Research Triangle Park\n\nSP           Special Publication\n\x0c                                              Table of Contents \n\nChapters\n\n1 Overview .................................................................................................................... 3\n\n      Background ..........................................................................................................................................................3\n\n      Objectives and Scope ...........................................................................................................................................3\n\n      Methodology ........................................................................................................................................................4\n\n      Results in Brief .....................................................................................................................................................5\n\n2 Physical Access ........................................................................................................ 6\n\n      Contractor Access Badges ...................................................................................................................................6\n\n      NCC Data Center Door Alarms...........................................................................................................................8\n\n      Evacuation Re-Entry ............................................................................................................................................8\n\n      Computer Room Sign-in Procedures....................................................................................................................9\n\n      RTP Campus Visitor Identification ......................................................................................................................9\n\n3 Service Continuity/Contingency Planning ............................................................ 12\n\n      Business Impact Analysis ...................................................................................................................................12\n\n      Application Contingency Planning ....................................................................................................................13\n\n      Authorization to Move Tapes to the Alternate Storage Site ...............................................................................17\n\n      Local Alternate Processing Site Access .............................................................................................................17\n\n      Environmental Controls .....................................................................................................................................18\n\n\n\nAppendices\n\nA      Criteria .................................................................................................................. 20 \n\nB      Applications Reviewed........................................................................................ 23\n\nC      Distribution........................................................................................................... 27\n\n\n\n                                        EPA's Response to the Draft Report\n\nD      Office of Environmental Information.................................................................. 28 \n\nE     Office of Administration and Resources Management..................................... 32 \n\nF     Office of Research and Development................................................................ 37\n\nG     Office of Solid Waste and Emergency Response ............................................. 41\n\nH      Office of the Chief Financial Officer................................................................... 43 \n\n\n\n\n\n                                                                                   2\n\n\x0c                                     Chapter 1\n                                         Overview\nBackground\n\nIn support of the Environmental Protection Agency (EPA) Office of Inspector General (OIG),\nKPMG audited physical access controls and service contingency/continuity planning controls for\nselect financial and mixed-financial applications hosted at EPA\xe2\x80\x99s Research Triangle Park (RTP)\nCampus. The RTP Campus is located in the greater Raleigh/Durham, North Carolina area and is\na major EPA center for air pollution research and regulation. RTP supports EPA\xe2\x80\x99s mission by\nworking towards a cleaner environment by concentrating on three major functions:\nadministration and management, regulations, and research and development.\n\nThe main RTP campus facility consists of seven buildings: A, B, C, D, E, H, and the National\nComputing Center (NCC) and two associated off-campus facilities: the local alternate processing\nsite and the local storage facility. NCC opened in January 2002 and provides large-scale\ncomputing services for EPA nationwide, including support for regulatory program offices and\nadministrative activities, as well as advanced super-computing for scientific research in air\nquality protection and other environmental studies. While the major computing activities occur\nat the NCC, other buildings have smaller computer and communication rooms that host financial\nand mixed financial applications that connect to the campus\xe2\x80\x99 network.\n\n\nObjectives and Scope\n\nThe objectives of our review were focused on three primary areas:\n\n\xe2\x80\xa2\t Gather the inventory of financial and mixed financial applications hosted at the RTP facility\n   to guide our review;\n\n\xe2\x80\xa2\t Evaluate physical security controls in accordance with relevant Federal and EPA criteria and\n   best practices; and\n\n\xe2\x80\xa2\t Evaluate service continuity/contingency controls in accordance with relevant Federal and EPA\n   criteria and best practices.\n\nFor the service continuity/contingency testing portion of the audit, we initially received from\nEPA a listing of 33 financial and mixed-financial applications residing at the RTP campus. We\ndiscussed and validated these applications with EPA RTP officials to ensure the accuracy of the\nlisting. We then selected a judgmental sample of 12 applications for detailed review based\nprimarily on whether the Agency indicated, within EPA\xe2\x80\x99s Automated Security Self-Evaluation\nand Remediation Tracking (ASSERT), that the applications had a contingency plan and/or the\n                                                3\n\n\x0ccriticality of the applications to EPA. EPA uses ASSERT to centrally track remediation of\nweaknesses associated with information technology systems. ASSERT serves as the Agency\xe2\x80\x99s\nofficial record for Plan of Actions and Milestones activities. Appendix B contains the list of\napplications included in the scope of our audit.\n\nOur review did not include an evaluation of financial and mixed-financial applications that did\nnot have service contingency/continuity plans in place. Additionally, our review did not include\nthe assessment of logical access controls for EPA systems or applications.\n\n\nMethodology\n\nOur evaluation methodology was derived primarily from the Government Accountability\nOffice\xe2\x80\x99s (GAO\xe2\x80\x99s) Federal Information Systems Control Audit Manual (FISCAM). FISCAM is\ndesigned to provide guidance to information technology auditors on the scope of issues that\ngenerally should be considered in any review of controls over the integrity, confidentiality, and\navailability of computerized data associated with Federal systems and applications. We\nspecifically addressed the following two FISCAM control areas:\n\n\xe2\x80\xa2\t Access control. These controls limit and/or monitor access to computer resources (data,\n   programs, equipment, and facilities) to protect against unauthorized modification, loss, and\n   disclosure. Examples of tests we performed under this control area included interviewing\n   data center managers and personnel, reviewing data center access listings, observing data\n   center physical access security controls, and observing data center environmental controls. In\n   addition, we conducted tests over the adequacy of physical access security controls for entry\n   onto the RTP campus and into RTP facilities.\n\n\xe2\x80\xa2\t Service continuity. These controls involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur. Examples\n   of tests we performed under this control area included interviewing application owners,\n   reviewing application contingency plans, and reviewing data backup and recovery processes.\n\nAdditionally, we supplemented our FISCAM based approach with relevant EPA policy\nrequirements and relevant guidance from the National Institute of Standards and Technology\n(NIST). Appendix A contains the complete list of applicable criteria. Our audit was conducted\nin accordance with Generally Accepted Government Auditing Standards (GAGAS).\n\n\n\n\n                                                 4\n\n\x0cResults in Brief\n\nIn summary, we noted that although EPA has many controls in place regarding physical access\nand service continuity/contingency planning, controls can be improved. For example:\n\n\xe2\x80\xa2\t Physical access. We noted that controls needed to be improved in areas such as visitor access\n   to facilities, use of contractor access badges, and general physical access to the National\n   Computer Center (NCC), computer rooms outside the NCC, and media storage rooms.\n\n\xe2\x80\xa2\t Service continuity. We noted that controls needed to be improved in areas such as the\n   completion of a Business Impact Analysis (BIA), application contingency plans,\n   authorization to move backup data between key facilities, and environmental controls.\n\nIn many cases, EPA has in place compensating controls that help reduce the risks in the above\nareas. However, we believe that controls can be improved to further reduce the risks. In this\nreport, we have provided detailed recommendations for each identified issue.\n\nIn general, we recommend that EPA:\n\n\xe2\x80\xa2\t Improve controls, processes, and procedures related to physical access to the NCC, media\n   storage rooms, server rooms, and associated facilities;\n\n\xe2\x80\xa2\t Improve controls, processes, and procedures related to the movement of tape backups\n   between key facilities;\n\n\xe2\x80\xa2\t Provide additional training regarding physical access and service continuity controls;\n\n\xe2\x80\xa2\t Revisit the service continuity strategies for key applications to ensure that all necessary\n   recovery strategies and efforts are documented, implemented, and tested; and\n\n\xe2\x80\xa2\t Improve environmental controls at key RTP facilities.\n\n\n\n\n                                                 5\n\n\x0c                                     Chapter 2\n                                  Physical Access\nAccess controls should provide reasonable assurance that information technology resources (data\nfiles, application programs, and computer-related facilities and equipment) are protected against\nunauthorized modification, disclosure, loss, or impairment. These controls include physical\ncontrols, such as keeping computers in locked rooms to limit physical access, and logical\ncontrols, such as security software programs designed to prevent or detect unauthorized access to\nsensitive files.\n\nKPMG conducted a review of physical access controls surrounding select information\ntechnology assets within the RTP campus. Specifically, we reviewed the physical security of\nassets within the NCC, computer rooms outside of the NCC, and media storage rooms (specific\nnames of the local storage and processing sites are not provided for security reasons). As\npreviously noted, our review did not assess logical security controls over EPA systems or\napplications. Although EPA had many physical access controls in place, we noted conditions\nassociated in the following areas, which increased the risks to the RTP physical security\nenvironment:\n\n\xe2\x80\xa2   Contractor Access Badges\n\xe2\x80\xa2   NCC Data Center Door Alarms\n\xe2\x80\xa2   Evacuation Re-entry\n\xe2\x80\xa2   Computer Room Sign-in Procedures\n\xe2\x80\xa2   RTP Campus Visitor Identification\n\nAdditional details on each of these areas, as well as related recommendations, follow.\n\n\nContractor Access Badges\n\nPer inspection, 29 of the 144 (20%) of the NCC data center access badges we reviewed were\neither assigned to temporary contractors or to temporary EPA staff. This issue occurred because\nNCC has many contractors that require access to the data center 24 hours per day in case of\nsystem emergencies. We inquired about assigning badges to specific contractor personnel and\nNCC officials informed us that this would be difficult to implement because of the need for\ncontractor maintenance support during emergencies. In these situations, the specifically badged\ncontractor may not be available and another contractor from the same company may arrive to\nperform the required maintenance support. In addition, similarly to the maintenance support\ncontractors, the janitorial service contractors use generic badges to access the data center to\nperform routine cleaning services. Therefore, management felt that assigning the badges to\nspecific contractors was not practical.\n\n\n\n                                                6\n\n\x0cSubsequent to our testing, we met with management officials to discuss this issue, and\nmanagement identified several compensating controls, such as the data center is staffed\ncontinuously, entrances are monitored by a video surveillance system, and NCC officials\nperform a limited badge reconciliation review. Management provided documentation supporting\nthe NCC\xe2\x80\x99s badge reconciliation process. However, we reviewed the badge reconciliation\ndocumentation and noted that it was not detailed enough to sufficiently reconcile the badges.\nSpecifically, we noted that the badge reconciliation only accounted for the total number of\nbadges opposed to being used as a control to ensure that badges are issued to authorized\ncontractors. Also, there was no documentation to support that the NCC maintained a valid\ncontractor personnel roster listing authorized employees from the contracting company and that\nthese contractors had appropriate background security screenings. Furthermore, management\nprovided no evidence to support that the NCC implemented controls to ensure that contractors\nwithout current and appropriate background security screenings are escorted while inside the\nNCC.\n\nAlthough management has some compensating controls in place, we believe management should\nenhance controls by enforcing individual accountability for access to the data center. By not\nenforcing accountability there is an increased risk that inappropriate access may be gained to a\nsensitive processing area. Also, should any damage result from the unauthorized access, it\nwould be difficult and time consuming for the NCC to identify the perpetrator and possibly limit\nNCC\xe2\x80\x99s ability to recoup damages and/or take appropriate legal action.\n\nRecommendations:\n\nWe recommend that the Director, Office of Technology Operations and Planning (OTOP)\nimplement policies and controls to ensure that:\n\n1)\t All contractors who have access to the data center have individually identifiable badges.\n\n2)\t More comprehensive periodic reviews of contractor access to the data center are performed,\n    and badge access is adjusted as necessary.\n\nHowever, if the Director of OTOP determines that the current process is sufficient and accepts\nthe risk, then OTOP should:\n\n3) Obtain a complete access roster from the contractor companies (e.g., maintenance support\n   and the janitorial services contractor) with the employee names and the current status of the\n   employee background security screening.\n\n4)\t Implement a procedure where only contractors with current and the appropriate background\n    security screenings are allowed unescorted access in the NCC.\n\n5)\t Implement a procedure to ensure that contractor personnel have appointments and are on\n    their company\xe2\x80\x99s access roster before issuing them temporary badges to the NCC.\n\n\n                                                7\n\n\x0c6)\t Implement a procedure where contractors without current and appropriate background\n    security screenings are escorted while inside the NCC.\n\nAgency\xe2\x80\x99s Response and KPMG\xe2\x80\x99s Evaluation:\n\nManagement agrees there are 29 temporary contractor badges that not assigned to specific\nindividuals. In addition, management agrees that the NCC should conduct more frequent\nreviews of contractor access to the data center. However, management disagrees with some\nelements of this finding and believes that compensating controls are in place to mitigate some of\nthe risk. As noted earlier, KPMG believes that although some compensating controls are in\nplace, additional accountability over contractors could be obtained by requiring contractors to\npossess individually identifiable access badges. Subsequent to the completion of fieldwork, we\nmeet with EPA officials to discuss this finding. Based on our discussions and review of\nadditional documentation, we modified this finding where appropriate.\n\n\nNCC Data Center Door Alarms\n\nPer inspection and observation, we noted that the NCC data center doors do not emit an audible\nalarm if a door is open for an extended period. By not having an audible alarm on the data center\ndoors, the data center employees would not be aware of potential security breaches until a\nsecurity guard in building C contacts them. In this regard, equipment could be stolen or\nintentionally damaged prior to any data center personnel being alerted of the breach. We noted\nsome compensating controls for this issue, such as: 1) the NCC data center door alarms are\nmonitored centrally by the main guard facility in building C, 2) the doors are continuously\nmonitored by a video surveillance system, and 3) the data center is constantly staffed. Although\nthese compensating mitigate a portion of this risk controls, the lack of audible door alarms\nelevate the risk that unauthorized individuals could access sensitive NCC areas.\n\nRecommendation:\n\n7)\t We recommend that the Director of OTOP install audible alarms on all key access points to\n    the NCC data center that would promptly alert NCC security personnel should a door be left\n    open for a designated period of time.\n\nAgency\xe2\x80\x99s Response and KPMG\xe2\x80\x99s Evaluation:\n\nManagement concurs with this finding.\n\n\nEvacuation Re-Entry\n\nPer inspection and observation, we noted that there is no apparent evidence of documented\npolicies or procedures regarding reentry requirements in the event of a personnel emergency\nevacuation from RTP. By not having policy and procedures for re-entry, there is an increased\n                                                8\n\x0crisk of unauthorized access by large numbers of personnel returning after an evacuation,\nparticularly if pre-planned entry points are not designated and monitored. This control weakness\nincreases the risk of unauthorized access to other RTP campus facilities and computer\nequipment, because these areas lack implemented compensating controls present at the NCC.\n\nRecommendations:\n\n8)\t We recommend that the Director of the Office of Administration and Resources Management\n    (OARM) at RTP implement detailed policies and procedures regarding the re-entry of staff to\n    the RTP campus and buildings after an event that would trigger an emergency evacuation.\n\nAgency\xe2\x80\x99s Response and KPMG\xe2\x80\x99s Evaluation:\n\nManagement concurs with the recommendation. Management officials stated that procedures are\ncurrently being written requiring all employees to badge in upon reentry into the buildings after\nan emergency evacuation.\n\n\nComputer Room Sign-in Procedures\n\nWe noted that there is no sign-in sheet for visitors to other computer rooms outside the NCC or\nto several media storage rooms. Access to the rooms is currently logged by the badge access\ncard system, but the system does not log visitor access. A sign-in sheet is a key operational\ncontrol because it serves as a visitor registry, providing auditable documentation containing the\ndate of visit, the visitor\xe2\x80\x99s name, company, purpose of visit, local employee escorting the visitor,\ntime of arrival, and time of departure. This documentation provides a means for management to\nassign accountability to the employee escorting the visitor and to each individual for actions\noccurring in the computer room.\n\nGenerally, this issue existed because the computer rooms outside of the NCC and media storage\nrooms were not originally designed as computing facilities and do not generally have visitors.\nSubsequent to the completion of fieldwork, we met with EPA officials to discuss this finding.\nBased on our discussions, management took immediate actions to correct this deficiency and\nimplemented a sign-in sheet. We subsequently reviewed management\xe2\x80\x99s implementation of the\ncontrol and found it to be sufficient.\n\n\nRTP Campus Visitor Identification\n\nPer inspection and observation, we noted the following issues that, if corrected, could help\nenhance the physical security controls at the RTP campus:\n\n\xe2\x80\xa2\t Perimeter gate security guards did not consistently stop vehicles with a permanent (non\n   visitor) parking pass and check the vehicle occupants\xe2\x80\x99 identification. Rather, the perimeter\n   gate security guards place assurance in the removable vehicle-parking pass.\n                                                 9\n\x0c\xe2\x80\xa2\t Perimeter gate security guards did not inspect the identification of all vehicle occupants for\n      vehicles with a visitor parking pass. We noted on several occasions that the guards inspected\n      the identification of the driver only and not the passenger. Additionally, our test, of the\n      \xe2\x80\x9cidentification verification\xe2\x80\x9d process, revealed that a vehicle was allowed onto the RTP\n      campus without the occupants\xe2\x80\x99 identification being properly checked.\n\n\xe2\x80\xa2\t Internal building security guards did not consistently verify RTP visitor\xe2\x80\x99s identification.\n      Once a visitor has passed through the security screening station, they are allowed to approach\n      the front desk to sign the visitor log and state their purpose, which will then be verified by the\n      security officer. However, our walkthrough determined that the security officer did not\n      consistently verify or check identification.\n\n\xe2\x80\xa2\t Unmanned entry points are not properly controlled. On several occasions at different\n      locations, we were able to gain access through unguarded side doors controlled by the badge\n      access card and video surveillance systems by following behind EPA employees who gained\n      authorized building access \xe2\x80\x9cpiggybacking.\xe2\x80\x9d\n\nWe noted that these issues occurred because the RTP security guards are not required to verify\nthe identification of each vehicle occupant, and that security guards are not verifying permanent\nparking decals assigned to RTP employees. Also, the security guards are not consistently\nfollowing procedures for verifying visitor\xe2\x80\x99s identification, and access to other campus buildings\nand the NCC is not limited to the main entrance. Therefore, employees and contractors may\nenter through doors with no security guard presence. Although compensating controls exist,\nsuch as a security guard presence and 24 hour monitoring of campus entry and exit points for\nvehicles, there is an increased risk that unauthorized individuals may gain inappropriate access to\nsensitive campus areas.\n\nRecommendations:\n\nWe recommend that the Director of OARM at RTP:\n\n9)\t     Issue guidance to remind the security guards at RTP campus entrances to randomly inspect\n        the identification of all occupants in vehicles entering the campus.\n\n10)\t Ensure that guards randomly check that the permanently assigned parking passes\n     correspond to the appropriate individual.\n\n11)\t Conduct periodic checks to ensure that procedures are consistently followed for verifying\n     visitor identification.\n\n12)\t Provide, periodically, additional security training to other RTP program offices\xe2\x80\x99\n     employees/contractors addressing good physical security practices. The training should\n     include lessons on challenging persons whom are attempting to enter the building without a\n     RTP badge, not allowing individuals to piggyback through unguarded doors, other security\n     concerns.\n                                                    10\n\n\x0cAgency\xe2\x80\x99s Response and KPMG\xe2\x80\x99s Evaluation:\n\nManagement concurred with these findings and indicated that they are taking steps to improve\nphysical access security. Management also indicated that various checks have been conducted\nduring conferences held at RTP and coordination has been done to inform personnel of a\nheightened security posture and asking them to not allow others to \xe2\x80\x9cpiggyback\xe2\x80\x9d into the building\nonce one person badges through a door.\n\n\n\n\n                                               11\n\n\x0c                                     Chapter 3\n            Service Continuity/Contingency Planning\nLosing the capability to process, retrieve, and protect information maintained electronically can\nsignificantly affect an agency\xe2\x80\x99s ability to accomplish its mission. For this reason, an agency\nshould have: 1) procedures in place to protect information resources and minimize the risk of\nunplanned interruptions and 2) a plan to recover critical operations should interruptions occur.\nThese plans should consider the activities performed at general support facilities, such as data\nprocessing centers and telecommunications facilities, as well as the activities performed by users\nof specific applications. To determine whether recovery plans will work as intended, they should\nbe tested periodically in disaster simulation exercises, understood by personnel with key\nresponsibilities, and supported by management and staff throughout the organization.\n\nKPMG conducted a review of service continuity/contingency planning controls surrounding\nselect financial and mix-financial applications located at the RTP campus. We noted that the\nChief Information Officer (CIO) issues high-level policy and guidance regarding EPA\xe2\x80\x99s\ncontingency planning strategies. Program offices are responsible for implementing controls to\ncomply with the CIO policy and guidance, such as contingency plan development and testing.\nThe NCC provides service continuity services for many mission critical EPA applications\nthrough the Disaster Recovery Services (DRS) program, which is a fee for service arrangement\nthrough EPA\xe2\x80\x99s working capital fund. In addition, program offices that do not subscribe their\napplications to the DRS are required to implement full contingency planning strategies for their\napplications. Therefore, program offices should coordinate closely with NCC officials, as NCC\nhosts many of the financial and mixed-financial applications.\n\nDuring our audit, we noted conditions associated with the following areas which increased the\nrisks to EPA\xe2\x80\x99s service continuity/contingency planning strategy:\n\n\xe2\x80\xa2   Business Impact Analysis (BIA)\n\xe2\x80\xa2   Application Contingency Planning\n\xe2\x80\xa2   Authorization to Move Tapes to the Alternate Storage Facility\n\xe2\x80\xa2   Local Alternate Processing Site Access\n\xe2\x80\xa2   Environmental Controls\n\n\nBusiness Impact Analysis\n\nWe noted a formal BIA for the NCC has not been conducted to address the identification and\nprioritization of critical data and operations for major applications. Consequently, the NCC does\nnot have a BIA, approved by senior leadership that reflects the current information technology\nprocessing conditions. NCC is critical because it provides large-scale computing services for\nEPA nationwide, including financial reporting applications. Additionally, the NCC supports\n\n                                               12\n\x0cEPA program offices by providing supercomputing resources for research in its environmental\nstudies.\n\nAlthough EPA established formal policies, procedures, and guidance for developing BIAs, the\nNCC did not complete the analysis. Without performing a BIA, there are risks that EPA may not\nbe fully characterizing the necessary system requirements, processes, and interdependencies for\nits information technology contingency planning and business continuity strategies. Such risks\ncould have a significant impact should a major outage occur.\n\nRecommendations:\n\nWe recommend that the Director of the OTOP:\n\n13)\t Reiterate the importance of completing the BIA to system owners through existing training\n     vehicles and established policies, procedures, and guidance.\n\n14)\t Conduct a BIA at the NCC that is consistent with the National Institute of Standards and\n     Technology (NIST) Special Publication (SP) 800-34, and utilize the results to conduct a\n     forum with the appropriate EPA program offices leadership to facilitate a decision-making\n     process on the program offices\xe2\x80\x99 behalf on updating and/or modifying their current\n     contingency planning and business continuity strategies.\n\nAgency\xe2\x80\x99s Response and KPMG\xe2\x80\x99s Evaluation:\n\nManagement agreed with the finding to conduct a BIA at the NCC. However, management did\nnot agree that additional training is necessary since the Agency has already documented the\nrequirement to conduct BIA and conducted contingency planning training at the 2004 Security\nand Operations conference. However, during our testing, personnel we interviewed were not\naware of the policies, procedures, and guidance. As such, we believe additional efforts are\nnecessary to help ensure personnel are aware of the requirements and management\xe2\x80\x99s\ncommitment to develop a BIA for the NCC.\n\n\nApplication Contingency Planning\n\nAlthough, in some cases, the reviewed contingency plans contained many of the necessary\nelements, eleven of the twelve plans did not fully comply with relevant Federal or EPA\nrequirements. We noted that the following areas needed improvement:\n\nApplications Included in DRS:\n\nWe noted that for the applications included in DRS, the contingency plans did not consistently\nidentify all elements guided by NIST SP 800-34. For example:\n\n\n\n                                               13\n\n\x0c\xe2\x80\xa2\t The NCC DRS contingency plan for the Integrated Financial Management System (IFMS);\n   Management and Accounting Reporting System (MARS); and the Combined Payroll\n   Redistribution and Reporting System (CPARS), does not clearly identify the: 1) alternate\n   processing procedures and 2) critical requirements for hardware, software,\n   telecommunications, office facilities, and offices supplies. In addition, it was difficult to\n   determine which steps in the plans related to the recovery of the three applications, nor had\n   the plan been updated since PeoplePlus replaced the CPARS application. Finally, we noted\n   that the contingency plan test results did not include definitive results regarding the recovery\n   of the applications.\n\n\xe2\x80\xa2\t The NCC contingency plan does not contain a section on reconstitution and returning to\n   normal operations.\n\n\xe2\x80\xa2\t The PeoplePlus contingency plan does not list primary and secondary contacts; although the\n   contacts are included in the Critical Applications Disaster Recovery Plan. Furthermore,\n   neither plan clearly specifies which of the two plans would be in operation should an outage\n   occur.\n\nApplications Not Included in DRS:\n\n\xe2\x80\xa2\t We noted that the following applications, not subscribing to the NCC DRS program,\n   contained contingency plan information in the application\xe2\x80\x99s security plans:\n\n   \xc2\xbe\t   Integrated Grants Management System (IGMS);\n   \xc2\xbe\t   Travel Manager +;\n   \xc2\xbe\t   Financial Data Warehouse (FDW);\n   \xc2\xbe\t   Working Capital Fund (WCF); and\n   \xc2\xbe\t   Bank Card.\n\nHowever, the information was vague, incomplete, and/or inconsistent regarding some\ncontingency plan procedures. For example, the IGMS security plan contains a contingency\nplanning section that indicates how critical IGMS is to EPA, but it does not contain detailed\nprocedures for how the system would be recovered during an outage. In addition, the security\nplans for Travel Manager +, FDW, WCF, and Bank Card do not document detailed steps to\nrecover application hardware, software, or telecommunications, and the contingency information\ndoes not identify alternative processing locations for the applications.\n\nIn addition, for the applications that had separate contingency plans, the level of detail in these\nplans was not consistent with Federal and EPA requirements. For example:\n\n\xe2\x80\xa2\t The Budget Automation System (BAS) is not referenced in the Office of the Chief Financial\n   Officer (OCFO), Office of Budget contingency plan. In addition, in reviewing the OCFO\xe2\x80\x99s\n   Annual Planning and Budget Division Disaster Preparedness and Recovery Guide - Budget\n   Automation System, version six, we noted many incomplete elements. These incomplete\n   elements included the emergency telephone list and listings of vendors, suppliers, and other\n   service providers. Such inconsistencies and incomplete information can present significant\n                                                 14\n\n\x0c   challenges for EPA should a significant BAS outage occur, as some in the organization may\n   believe that BAS has a well-documented recovery strategy, when in fact the planning efforts\n   are inconsistent and incomplete.\n\n\xe2\x80\xa2\t The Comprehensive Environmental Response, Compensation and Liability Information\n   System (CERCLIS) contingency plan does not identify critical resources needed during an\n   outage (e.g., personnel, telecommunications, and hardware and office facilities and supplies).\n   In addition, the contingency plan\xe2\x80\x99s recovery test does not address the recovery of the\n   application. We were also unable to determine whether contracts are in place for the\n   restoration of the application.\n\n\xe2\x80\xa2\t The Office of Research and Development Management Information System (OMIS)\n   contingency plan call tree contained only business phone numbers for essential personnel,\n   and did not include the information that should be relayed to the personnel. In addition, we\n   noted that the recovery operations section of the contingency plan did not adequately\n   document the steps necessary to restore operations, and it did not document whether the\n   contingency plan had been tested. Subsequent to our review, OMIS took immediate action to\n   remedy these conditions.\n\nThese various issues appear to have occurred because of inconsistency in training for relevant\ncontingency planning officials. For example, for the applications that are not part of the DRS\nprogram, EPA officials informed us that any contingency planning efforts and agreements are the\nresponsibility of the application owner, thereby increasing the possibility of developing and\nimplementing contingency plans and procedures that are inconsistent with relevant Federal and\nEPA requirements.\n\nThese application contingency plan weaknesses are critical for EPA, because without\ndocumenting the essential operations and supporting resources, management may not be able to:\n1) predict the negative effects of lost data and interrupted operations and 2) determine how long\nspecific operations can be suspended or postponed. Additionally, without current and complete\napplication contingency plans, management may not be able to efficiently recover from\nunplanned service interruptions.\n\nRecommendations:\n\nWe recommend that the Director of OTOP:\n\n15)\t Use existing training vehicles to remind all EPA application owners about the importance\n     of: 1) developing application contingency plans/procedures in accordance with Federal and\n     EPA requirements, 2) documenting test results, and 3) revising the contingency\n     plans/procedures based on the test results.\n\n16)\t Ensure that the NCC DRS contingency plan is updated and tested on an annual basis. The\n     updated NCC DRS contingency plan should identify: 1) applicable recovery steps for\n     IFMS, MARS, and PeoplePlus; 2) alternate processing procedures; 3) critical requirements;\n     and 4) definitive test results regarding the recovery of all applications.\n                                               15\n\n\x0c17)\t Revisit the NCC contingency plan and ensure it contains a section on reconstitution and\n     returning to normal operations.\n\nWe recommend that the Office of the Chief Financial Officer ensure that the:\n\n18)\t Director, Office of Financial Services revises the PeoplePlus contingency plan to: 1)\n     contain primary and secondary personnel information consistent with the Critical\n     Applications Disaster Recovery Plan, and 2) clearly describe which plan takes precedence\n     during a recovery process.\n\n19)\t Director, Office of Financial Management revises contingency plans for all of their\n     applications not subscribing to the NCC DRS plan (e.g., Financial Data Warehouse), in\n     accordance with relevant Federal and EPA requirements.\n\n20)\t Director, Office of Budget revises the BAS contingency plan to contain an emergency\n     contact list and listings of vendors, suppliers and service providers.\n\nWe recommend that the Director of the Office of Solid Waste and Emergency Response:\n\n21)\t Revisit CERCLIS contingency plan and ensure that it: 1) identifies critical resources; 2)\n     ensures the recovery test addresses all elements of application recovery; and 3) specifies\n     which contracts are in place for the restoration of the application.\n\nAgency\xe2\x80\x99s Response and KPMG\xe2\x80\x99s Evaluation:\n\nIn general, all the affected program offices agreed with our findings and recommendations.\nHowever, OEI requested that recommendations to correct the noted contingency plan\nweaknesses be addressed to the applicable program office. Further, OEI disagreed with the\nrecommendation to analyze all contingency plan test results, adjust contingency plans and send a\n\xe2\x80\x9clessons learned\xe2\x80\x9d report to senior management. OEI also did not agree with the recommendation\nto establish monitoring procedures to ensure that application contingency plans are tested at least\nonce every year, because OEI already has such a procedure in place and uses the ASSERT\nsystem to track the status of contingency plan testing.\n\nKPMG agrees that guidance is available to EPA program offices related to the development of\ncontingency plans. However, given that we identified inconsistent approaches within the\nprogram offices for developing and testing contingency plans, we believe that additional\nmanagement emphasis and training is necessary.\n\nSubsequent to the completion of fieldwork, management officials, in several cases, provided\nadditional documentation, such as updated contingency plans and details regarding EPA\xe2\x80\x99s\ncontingency planning practices. KPMG inspected this information and where appropriate\nmodified this finding.\n\n\n                                                16\n\n\x0cAuthorization to Move Tapes to the Alternate Storage Site\n\nThe alternate storage site serves as a temporary storage location for backup tapes being sent from\nNCC to the backup tape storage vendor. We inspected the logs tracking the movement of\nbackup tapes between NCC and the alternate storage site and noted that there is no documented\nauthorization to move the tapes, although there are comparable logs tracking the movement of\nbackup tapes from the alternate storage site to tape store vendor.\n\nAccording to RTP officials, the movement of backup tapes from the NCC to the alternate storage\nsite is an informal process, and there are only a few people involved in the process, which limits\nthe risk. For example, there is one primary person and one alternate person authorized to\napprove the moving of tapes between the NCC and the alternate storage site. Consequently,\nformal procedures for this process have not been developed. We recognize that the limited\nnumber of people involved in this process reduces the risk. However, there is an increased risk\nthat accountability for the tapes may be lost if there is no documented authorization supporting\nthe movement of tapes.\n\nRecommendation:\n\n22) We recommend that the Director of OTOP implement a procedure and control whereby the\n    backup tapes being sent from NCC to the alternate storage site have documented\n    authorization for movement.\n\nAgency\xe2\x80\x99s Response and KPMG\xe2\x80\x99s Evaluation:\n\nManagement concurs with the recommendation and indicated OEI will document procedures to\nauthorize movement of backup tapes from NCC to the alternate storage site.\n\n\nLocal Alternate Processing Site Access\n\nThe local alternate processing site is utilized as a continuity of operations facility for the NCC\ndata center and is located on the border of the RTP campus. Additionally, the site contains\nresearch equipment and serves as a general warehouse. The NCC has one room designated as a\ncontingency facility for emergency situations, and this room is equipped with several operational\ncomputers, telephones, and one television. However, we noted that the site lacks an active\nsecurity monitoring process, such as camera surveillance or security guards. The security\npresent at the facility consists of badge access card system, which is used to control entry.\n\nEPA officials indicated that a previous physical security assessment categorized the facility as\nlow risk, therefore not requiring a strong security presence. Additionally, EPA officials\nindicated that should an event occur that raises the threat level of the campus, additional guards\nand security measures would be deployed at all facilities. The emergency response process for\nthe facility is dependant on the threat level to the campus, which is directed by the Department of\nHomeland Security threat level. However, by not actively controlling access to the facility, there\n                                                17\n\n\x0cis an increased risk that unauthorized individuals may gain inappropriate access to a sensitive\narea, especially during a continuity of exercise or actual continuity of operations activities.\n\nRecommendation\n\n23)      We recommend that the Director of the NCC coordinate with the Director of OARM at\n         RTP to document the expected physical security controls for the local processing site in\n         the event of an emergency and include these procedures in the National Computer\n         Center\xe2\x80\x99s contingency plan.\n\nAgency\xe2\x80\x99s Response KPMG\xe2\x80\x99s Evaluation:\n\nOEI concurs with the recommendation, and agreed to work with OARM to assess the risks, costs\nand benefits to make a risk-based decision on additional controls. OARM responded by stating\nthat a Physical Security Assessment of the RTP main campus facility was performed in 2004,\nwhich identified the facility as a \xe2\x80\x9cLOW Threat Level Facility.\xe2\x80\x9d Based on this finding, OARM\ndecided to mitigate this risk by including some of these corrections in a future lease agreement\n\nKPMG recognizes EPA\xe2\x80\x99s need to implement cost effective security controls to mitigate risks.\nHowever, the acceptance of risks should be coordinated, documented, and approved by\nappropriate senior Agency officials. As such, we believe that OARM\xe2\x80\x99s rationale for accepting\nthe risks associated with the local processing site should be formally documented and\ncommunicated to all affected Agency offices so that appropriate contingency planning activities\ncan occur. Based on discussions with Agency officials, we modified the recommendation.\n\n\nEnvironmental Controls\n\nKPMG noted examples where EPA environmental controls at key RTP facilities could be\nimproved:\n\n\xe2\x80\xa2\t KPMG noted during the walkthrough of the NCC data center that food and drinks were\n      allowed in the computer areas. This violates posted signs throughout the data center stating\n      that eating and drinking are prohibited.\n\n\xe2\x80\xa2\t KPMG noted, during the walkthrough of the computer rooms outside of the NCC, that\n      emergency procedures were not posted in case of fire, plumbing leakage, or premature water\n      release from the sprinklers. Additionally, during our walkthrough of another computer room,\n      we observed a water stain from a previous leak on the ceiling tiles. We also noted that\n      emergency water shut-off values and electric power sources were not easily identifiable.\n\nIt appears that these issues existed because: 1) EPA management officials have not fully\nenforced the requirement of not having food and drinks in the NCC data center, and 2) EPA did\nnot develop and implement processes for these critical procedures for the computer rooms\noutside of the NCC. One computer room was not originally designed to host computer\n\n                                                  18\n\n\x0cequipment; as such, water lines run through the room thereby increasing the risk of water\ndamage from a leak or burst pipe.\n\nAllowing food and drink in the NCC data centers increases the risk that key processing\nequipment or other materials, such as recovery plans and procedures, could be damaged by a\nspill. In addition, if the appropriate EPA personnel are not aware of the emergency procedures\nand can not easily locate the emergency water shut-off values and electrical power sources, EPA\npersonnel may not promptly respond to an emergency to protect the computer equipment in case\nof a burst water pipe or plumbing leakage.\n\nSubsequent to completing fieldwork, RTP personnel provided KPMG with additional\ndocumentation regarding environmental controls over the computer rooms. Specifically, KPMG\nwas provided with documents containing bullet-point procedures for both fire and water\nemergencies in the computer rooms and EPA OIG auditors observed these policies posted in the\ncomputer rooms. Additionally, RTP personnel also provided work orders to identify the shut off\nvalves for the water and plumbing lines and for the installation of water detectors. EPA OIG\nauditors inspected the computer rooms and verified that environmental controls existed.\n\nRecommendations:\n\n24) We recommend that the Director of OTOP should make a determination whether to enforce\n    the posted notices regarding not having food and drinks in the NCC data center and remind\n    employees of the policy. If management decides to accept the risk of allowing food and\n    drinks in the data center, then the acceptance of the risk should be documented in the NCC\n    security risk assessment.\n\nAgency\xe2\x80\x99s Response and KPMG\xe2\x80\x99s Evaluation:\n\nManagement officials agree with our findings and recommendations. OARM at RTP disagreed\nwith implementing compensation controls such as having security guards perform visual\ninspections of computer rooms. As such, OARM officials provided additional documentation\nand details regarding its efforts to provide effective environmental controls over the computer\nrooms. Where appropriate, we modified this finding.\n\n\n\n\n                                               19\n\n\x0c                                     Appendix A\n\n                                          Criteria \n\nThe following laws, requirements, and/or guidelines were used as criteria in guiding our review\nof physical security and service continuity at RTP.\n\n\xe2\x80\xa2\t The EPA Information Security Manual states that:\n\n   \xc2\xbe\t Physical security measures be in place to protect information systems against \n\n      unauthorized access, theft, or destruction. \n\n\n   \xc2\xbe\t Continuity of support and/or contingency plans must be developed. Specifically, the\n      manual requires that: 1) contingency and continuity of support plans should be reviewed\n      and updated on an annual basis and in coordination with COOP planning efforts; 2)\n      recovery plans should be developed for re-establishing a permanent, ongoing processing\n      site; 3) the plans should be tested; 4) EPA should conduct training on the plan and its\n      elements; 5) the plans should be documented; and 6) the plans should be periodically re\n      tested and revised.\n\n   \xc2\xbe\t Food, smoke, heat, and excess moisture can damage equipment.\n\n\xe2\x80\xa2\t The Federal Information Security Management Act (FISMA), issued as part of the E-\n   Government Act of 2002, requires Federal agencies to provide information security\n   protections commensurate with the risk and magnitude of the harm resulting from\n   unauthorized access, use, disclosure, disruption, modification, or destruction of information\n   collected or maintained by or on behalf of the agency. FISMA further requires Federal\n   agencies to follow information security guidance issued by NIST.\n\n\xe2\x80\xa2\t The Federal Manager\xe2\x80\x99s Financial Integrity Act (FMFIA) requires Federal agencies to\n   maintain accountability over assets.\n\n\xe2\x80\xa2\t National Institute of Standards and Technology\xe2\x80\x99s (NIST) Special Publication (SP) 800-12, An\n   Introduction to Computer Security: The NIST Handbook guides that contingency planning\n   should address all the resources needed to perform a function, regardless whether they\n   directly relate to a computer. This will allow an organization to assign priorities to resources\n   since not all elements of all resources are crucial to the critical functions.\n\n\xe2\x80\xa2\t NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information\n   Technology Systems, guides that organizations should require users to identify themselves\n   uniquely before being allowed to perform any actions on the system.\n\n\xe2\x80\xa2\t NIST SP 800-34, Contingency Planning Guide for Information Technology Systems guides\n   that:\n\n\n                                                20\n\n\x0c   \xc2\xbe\t The completion of a BIA is a key step in the contingency planning process, as it helps\n      identify and prioritize critical information technology systems and components.\n      According to NIST, the BIA enables the organization to fully characterize the system\n      requirements, processes, and interdependencies and use this information to determine\n      contingency requirements and priorities. The BIA purpose is to correlate specific system\n      components with the critical services that they provide, and based on that information, to\n      characterize the consequences of a disruption to the system components. Results from\n      the BIA should be appropriately incorporated into the analysis and strategy development\n      efforts for the organization\xe2\x80\x99s contingency planning and business continuity strategies.\n\n   \xc2\xbe\t Contingency plan testing is a critical element of a viable contingency capability, and each\n      element of the contingency plan should be tested, first individually and then as a whole,\n      to confirm the accuracy of individual recovery procedures and the overall effectiveness of\n      the plan. Additionally, it states that this testing should occur at least annually and when\n      significant changes occur to the IT system, supported business process(es), or the IT\n      contingency plan.\n\n   \xc2\xbe\t Common fire prevention measures include water sensors in the computer room ceiling\n      and floor.\n\n\xe2\x80\xa2\t NIST SP 800-53, Recommended Security Controls for Federal Information Systems guides\n   that Federal agencies should:\n\n   \xc2\xbe\t Develop and keep current lists of personnel with authorized access to facilities containing\n      information systems and issue appropriate authorization credentials (e.g., badges,\n      identification cards, smart cards).\n\n   \xc2\xbe\t Assign designated officials within the organization to review and approve access lists and\n      authorization credentials per a defined time period, but at least annually.\n\n   \xc2\xbe\t Centrally monitor real-time intrusion alarms and surveillance equipment, and employ\n      automated mechanisms to ensure potential intrusions are recognized and appropriate\n      response actions initiated.\n\n   \xc2\xbe\t After an emergency-related event, restrict reentry to facilities to authorized individuals\n      only.\n\n   \xc2\xbe\t Authenticate visitors (including government contractors) prior to authorizing access to\n      facilities or areas.\n\n   \xc2\xbe\t Maintain a visitor access log that includes: (i) name and organization of the person\n      visiting; (ii) signature of the visitor; (iii) form of identification; (iv) date of access; (v)\n      time of entry and departure; (vi) purpose of visit; and (vii) name and organization of\n      person visited. NIST further guides that designated officials within the organization\n      should review the access logs.\n\n                                                   21\n\n\x0c   \xc2\xbe\t Consider surveillance and security guards as key physical access controls.\n\n\xe2\x80\xa2\t Office of Management and Budget (OMB) Circular Number A-123, Management\n   Accountability and Control, requires that accountability for the custody and use of resources\n   be assigned and maintained.\n\n\xe2\x80\xa2\t OMB Circular A-130, Management of Federal Automated Information Resources, guides\n   that agencies shall:\n\n   \xc2\xbe\t Implement and maintain a program to assure that adequate security is provided for all\n      agency information collected, processed, transmitted, stored, or disseminated in general\n      support systems and major applications.\n\n   \xc2\xbe\t Establish policies and assign responsibilities to assure that appropriate contingency plans\n      are developed and maintained by end users of information technology applications. The\n      intent of such plans is to assure that users continue to perform essential functions in the\n      event their information technology support is interrupted.\n\n\n\n\n                                               22\n\n\x0c                                       Appendix B \n\n                              Applications Reviewed \n\n                                                                                      Major\n        Application     Program Office                   Description                              Risks\n                                                                                    Application\n1.   BAS (Budget        Office of the   BAS is the central Agency system               Yes        High\n     Automation         Chief Financial used to integrate strategic planning,\n     System)            Officer (OCFO) annual planning, budgeting, and\n                                        financial management. The system\n                                        contains resource (dollars and FTE),\n                                        planning and performance data. The\n                                        system supports budget formulation,\n                                        annual planning and operating plan\n                                        development. BAS links to the IFMS\n                                        to send the Agency\xe2\x80\x99s Initial Operating\n                                        Plan in the format of IFMS\n                                        Appropriation & Apportionment (AA)\n                                        documents. BAS receives from IFMS\n                                        the revised operating plan and actual\n                                        obligations/outlays data.\n2.   CERCLIS            Office of         The Agency\xe2\x80\x99s system for supporting           Yes        High\n     (Comprehensive     Superfund         the Superfund program. CERCLIS\n     Environmental      Remediation and   receives downloads of IFMS\n     Response,          Technology        Superfund financial transactions. This\n     Compensation and   Innovation        is not an OCFO application and no\n     Liability          (OSRTI)           information from this system is sent to\n     Information                          the Integrated Financial Management\n     System)                              System (IFMS).\n3.   CPS (Contracts  Office of the        CPS is an NCC mainframe application          Yes        High\n     Payment System) Chief Financial      with ADABAS database. The\n                     Officer              application tracks and pays EPA\n                                          contractors. This application is a\n                                          subscriber to the NCC Disaster\n                                          Recovery Program.\n4.   MARS              Office of the      MARS provides standard and ad hoc            Yes        High\n     (Management and Chief Financial      financial reports based on data from\n     Accounting        Officer            IFMS. The source for the MARS data\n     Reporting System)                    is the IFMS journal. It is run out of\n                                          the NCC and is an\n                                          ADABAS/Mainframe application.\n\n\n\n\n                                                   23\n\n\x0c                                                                                        Major\n         Application     Program Office                    Description                              Risks\n                                                                                      Application\n 5.   IGMS (Integrated   Office of         IGMS is the Agency\xe2\x80\x99s system for the           Yes        High\n      Grants             Administration    processing and management of all forms\n      Management         and Resources     of assistance agreements with State and\n      System)            Management        local governments, non-profit\n                         (OARM)            organizations, educational institutions,\n                                           and individuals, as well as interagency\n                                           agreements with other Federal agencies.\n                                           IGMS receives commitment data from\n                                           IFMS. This Lotus Notes application is\n                                           owned by the Grants Department.\n\n 6.   OMIS (Office of    Office of         OMIS is comprised of five                     Yes        High\n      Research and       Research and      independent modules. Only the\n      Development        Development       Integrated Resource Management\n      Management         (ORD)             System (IRMS) interface with IFMS.\n      Information                          The real-time interfaces are used to\n      System)                              electronically transmit transactions\n                                           (commitment and reprogramming) to\n                                           IFMS. Extract files are created after\n                                           the nightly IFMS close to bring down\n                                           to IRMS the approvals/disapprovals of\n                                           the reprogramming transactions as\n                                           well as operating plan, commitments,\n                                           obligations, and expenditures from the\n                                           Suballowance Spending Control\n                                           Inquiry Table (SASP) and General\n                                           Ledger tables.\n7.    TM+ (Travel        Office of the     TM+ is a COTS product used to                 Yes        High\n      Manager +)         Chief Financial   streamline and fully automate the\n                         Officer           Agency\xe2\x80\x99s travel process. TM+ sends\n                                           Travel Order (TO) and Travel\n                                           Voucher (TV) documents to IFMS.\n                                           TM+ automates the travel process for\n                                           EPA. It was developed by Gelco and\n                                           runs on its own servers. The\n                                           application will be phased out in\n                                           September 2006 when E-Travel (a.k.a.\n                                           GovTrip) is implemented. EPA had\n                                           one of three choices in the\n                                           replacement of TM+ and opted for the\n                                           Northrop Grumman GovTrip web-\n                                           based application.\n\n\n\n\n                                                     24\n\n\x0c                                                                                    Major\n        Application    Program Office                  Description                              Risks\n                                                                                  Application\n8.   WCF (Working     Office of         WCF Service Providers generate               Yes         High\n     Capital Fund)    Environmental     monthly entries to record depreciation,\n                      Information       cost transfers, and application of\n                      (OEI)             Overhead and G&A as well as\n                                        customer billing information. They\n                                        transmit that data automatically via an\n                                        interface file containing Asset\n                                        Voucher (AV)/Month End Adjustment\n                                        Voucher (MV), and Project Charge\n                                        (CH) documents to IFMS. All\n                                        information is placed on the IFMS\n                                        SUSF table for the RTP, FMC staff to\n                                        review and process online or through\n                                        batch mode. Any errors found are\n                                        researched and corrected prior to\n                                        processing. WCF is run by the Office\n                                        of Technology Operations and\n                                        Planning (OTOP) group. Some\n                                        servers are maintained at RTP,\n                                        however OCFO does not know what is\n                                        contained on them. Regular backups\n                                        are performed for the application.\n9.   IFMS (Integrated Office of the     IFMS is a mainframe application              Yes         High\n     Financial        Chief Financial   hosted at the NCC. It is the EPA\xe2\x80\x99s\n     Management       Officer           core financial system and does\n     System)                            subscribe to Disaster Recovery\n                                        services at the NCC.\n10. People Plus       Office of the     EPA\xe2\x80\x99s new payroll processing system.         Yes         High\n                      Chief Financial   People Plus is a co-owned system\n                      Officer and the   between the OCFO and the OHROS.\n                      Office of Human   The application is hosted at the NCC\n                      Resources and     on a UNIX machine.\n                      Organizational\n                      Services\n                      (OHROS)\n11. Bankcard          Office of the     Bank Card Interface System was                No        Medium\n                      Chief Financial   developed to properly allocate funds\n                      Officer           in paying for items purchased with\n                                        credit cards. The daily files of\n                                        transactions are maintained on an\n                                        Oracle Database with an upload to the\n                                        financial statements. The application\n                                        has a web interface to allow users the\n                                        ability to see payments and\n                                        obligations.\n\n                                                 25\n\n\x0c                                                                                Major\n       Application   Program Office                  Description                            Risks\n                                                                              Application\n12. Financial Data   Office of        FDW houses periodic snapshots of           Yes        High\n    Warehouse        Financial        IFMS data to provide reporting\n    (FDW)            Management and   capability. The FDW offers standard\n                     Office of        reports from IFMS, EPAYS, CPARS\n                     Financial        and CPS. Access to FDW is\n                     Services         controlled by FSD.\n\n                                      The application is hosted at NCC on a\n                                      Unix NIX Digital machine with\n                                      Oracle 8.1 database tables.\n\n\n\n\n                                               26\n\n\x0c                                  Appendix C\n                                   Distribution\n\nOffice of the Administrator\nDirector, Office of Technology Operations and Planning\nDirector, Office of Administration and Resources Management at RTP\nDirector, Technical Information Security Staff\nDirector, National Computer Center\nNational Computer Center Security Operations Manager\nAgency Follow-up Coordinator\nAudit Follow-up Coordinator, Office of Administration and Resources Management\nAudit Follow-up Coordinator, Office of Environmental Information\nAudit Follow-up Coordinator, Office of the Chief Financial Officer\nAudit Follow-up Coordinator, Office of Research and Development\nAudit Follow-up Coordinator, Office of Solid Waste and Emergency Response\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociation Administrator for Public Affairs\nInspector General\n\n\n\n\n                                            27\n\n\x0c                                    Appendix D\n\n                  Office of Environmental Information \n\nDraft Report Response from the Office of Environmental Information (OEI)\n\n                                       October 21, 2005\n\nMEMORANDUM\n\nFROM:         Kimberly T. Nelson /s/\n              Assistant Administrator and Chief Information Officer\n\nTO:           Rudolph M. Brevard\n              Acting Director, Business Systems Audits\n              Office of Inspector General\n\n       Thank you for the opportunity to respond to the draft audit report on Information System\nService Contingency and Physical Access Controls. We appreciate your efforts to hold\ninformational meetings to ensure clarity of your findings and recommendations and to give us an\nopportunity to recommend revisions.\n\n        As we discussed at the informational meetings on October 4, 2005, we have concerns\nabout some of the findings and recommendations regarding the physical access and information\nsystem service contingency findings. We conveyed these concerns to your staff at the October 4\nmeeting and appreciate their receptivity to ensuring that the findings are accurate and that the\nfinal recommendations will effectively address real deficiencies.\n\n        Our detailed comments are attached. Please feel free to contact George Bonina, Director\nof the Technology and Information Security Staff and Chief Information Security Officer at 202\n566-0304, if you have any questions or need additional information.\n\nAttachment\ncc:   \tLinda Travers\n      Mark Day\n      Myra Galbreath\n      George Bonina\n      Robin Gonzalez\n      John Gibson\n\nPhysical Access\n\nContractor Access Badges\n\n\n\n                                               28\n\n\x0cOEI agrees with the finding that 29 badges were identified as contractor temporary badges not\nassigned to a specific individual. The NCC developed a procedure for issuing contractor\ntemporary badges as a result of a prior audit finding that the data center had too many people\nwith permanent access. Consequently, NCC issues contractor temporary badges for personnel\nwhose data center access frequency is less than three times per week.\n\nOEI disagrees with the finding that these contractor temporary badges have no names associated\nwith the badges. Unescorted temporary badges are only assigned if the individual\xe2\x80\x99s name\nappears on a predefined controlled access list, maintained in the data center. As each temporary\nbadge is issued, the individual\xe2\x80\x99s name is entered in a visitor access control log.\n\nOEI disagrees with the finding that the temporary badges are not kept in EPA facilities. All\nbadges are maintained at the NCC.\n\nOEI disagrees with the finding that there is no formal process for identifying the contractor using\nthe badge. The formal process for issuing and documenting temporary badges is in place as\ndescribed above.\n\nOEI disagrees with the finding that contractors do not identify specific individuals to support the\nNCC in cases of each emergency, and that the NCC issues generic access badges to the\ncontractor companies rather than to specific individuals. Any contractor who does not currently\nhave a permanently issued badge or whose name does not exist on the pre-defined access control\nlist is required to have an escort during their presence in the data center. Each of these\nindividuals must be identified by the vendor prior to their arrival.\n\nOEI disagrees with recommendation (1); given the existence of the current process that explicitly\nassociates all badges and access to the NCC with individual identification.\n\nOEI agrees with recommendation (2) to conduct more frequent reviews of contractor access to\nthe data center.\n\nNCC Data Center Door Alarm\n\nOEI agrees with this recommendation.\n\nLocal Alternate Processing Site Access\n\nOEI will work with OARM to assess the risks, costs and benefits to make a risk-based decision\non additional controls.\n\nService Continuity/Contingency Planning\n\nCompletion of the BIA\n\n\n\n                                                29\n\n\x0cOTOP conducted training on contingency planning at the 2004 Security and Operations\nConference. Staff from OTOP\xe2\x80\x99s Technology and Information Security Staff (TISS) provide\nsupport to system owners on an ongoing basis.\n\nSince there is already a well-documented EPA requirement to conduct BIAs, the\nrecommendation to document that requirement (18) is not necessary.\n\nThe recommendation to conduct additional training on contingency planning (17) is not\nnecessary due to the clarity of the NIST document, OEI\xe2\x80\x99s supplemental guidance, the prior\ntraining conducted by OTOP and the availability of TISS support to program offices.\n\nOEI agrees with the recommendation that the NCC conduct a BIA (19).\n\nOEI disagrees with the recommendation to conduct a forum with EPA program offices\nleadership to update/modify current contingency planning and business continuity processes\n(19). This audit contains no finding that would be addressed through this recommendation.\n\nApplication Contingency Plan Weaknesses\n\nOEI Response\n\nMost of the recommendations appear to be based on an incorrect conclusion that problems with\nindividual system contingency plans are the result of a systemic problem with the Agency-wide\ncontingency planning program. As noted above, it appears that the auditors were not aware of the\nAgency procedures and guidance on contingency planning. OEI believes that it is inappropriate\nto place the responsibility for correcting deficiencies in program office system contingency plans\non the OTOP Director. Placing this responsibility on the OTOP Director is in contradiction to\nFISMA which places the responsibility for system security on program officials for systems\nunder their control. Therefore, OEI believes that recommendations (24) and (26) thru (30) should\nbe directed to the Assistant Administrator of the appropriate office.\n\nOEI believes that the recommendation to analyze all contingency plan test results, adjust\ncontingency plans and send a \xe2\x80\x9clessons learned\xe2\x80\x9d report to senior management (25) is unnecessary\nbecause there is nothing in the audit findings to support a conclusion that there is a systemic\nproblem to be addressed through this recommendation. Also, consistent with FISMA, analyzing\ntest results and adjusting plans is the responsibility of the program officials.\n\nFor reasons noted above, OEI disagrees with the recommendation to provide consistent training\nto all EPA application owners (20).\n\nIt is not clear why the recommendation to establish monitoring procedures to ensure that\napplication contingency plans are tested at least once every year or more often (21) is included\nsince the findings identify only one plan that may not have been tested. This recommendation is\nalso unnecessary because OEI already has such a procedure in place. OEI uses the ASSERT\nsystem to track the status of contingency plan testing. This percentage of systems with tested\ncontingency plans is measured on the E-gov scorecard of the President\xe2\x80\x99s Management Agenda as\n                                               30\n\n\x0cwell as an OMB performance measure that is reported quarterly to OMB. For the FY 2005\nAnnual FISMA report to OMB, EPA reported that 97% of the Agency\xe2\x80\x99s major applications and\ngeneral support systems had tested contingency plans. OIG auditors have access to ASSERT and\ncan verify this information.\n\nOEI agrees with recommendations (22) and (23).\n\nAuthorization to Move Tapes to Alternate Storage Facility\n\nOEI Response:\n\nOEI will document procedures to authorize movement of backup tapes from NCC to a local\nstorage facility.\n\nEnvironmental Controls\n\nOEI Response:\n\nOEI agrees with recommendation (32) to address the risks of food and drinks in the NCC data\ncenter.\n\nOEI will work with OARM to assess the risks, costs and benefits to make a risk-based decision\non additional controls (33).\n\nOARM Response:\n\nOARM will respond directly to the IG in a separate document.\n\n\n\n\n                                              31\n\n\x0c                                     Appendix E\n Office of Administration and Resources Management\nDraft Report Response from the Office of Administration and Resources Management at\nRTP (OARM)\n\n                                        October 25, 2005\n\nMEMORANDUM\n\nSUBJECT:\t OARM Response to Draft Audit Report: Audit of Information System Service\n          Contingency\\Continuity and Physical Access Controls of EPA\xe2\x80\x99s Financial and\n          Mixed-Financial Systems that Reside at Research Triangle Park\n          Assignment/Project No: 2004-001383\n\nFROM:\t         William G. Laxton, Director /s/\n               Office of Administration and Resources Management, RTP (C604-02)\n\nTO:\t           Vincent Campbell, Auditor/Project Officer\n               Office of Inspector General (2421T)\n\n\n        The enclosed report addresses the recommendations identified in the original audit report\nfor OARM-RTP action. Our reply addresses each recommendation for Chapters 2 and 3. The\npoint of contact for Chapter 2, Physical Access, is Sam Pagan, (919) 541-5001; for Chapter 3,\nService Continuity/Contingency Planning, the contact point is Alex Montilla (919) 541-0324.\n\nAttachment\n\n\n\n\n                                               32\n\n\x0cChapter 1: Overview\n\nNo findings or recommendations requiring OARM lead\n\n\nChapter 2: Physical Access\n\nWith regard to: Evacuation Re-Entry:\n\nRecommendation 8: Coordinate the                         Response: Procedures are currently being\nimplementation of detailed policies and                  written requiring all employees to badge in\nprocedures regarding the reentry of staff to the         upon reentry into the buildings after an\ncampus and buildings after an event that would           emergency evacuation.\ntrigger an emergency evacuation. (from page 5\nof draft report)\n\nRecommendation 9: Provide additional                     Response: Employees at RTP have been\nsecurity training to employees/contractors               reminded of these procedures through various\naddressing good physical security practices;             all hands memos informing them of a\nsuch as challenging persons whom are                     heightened security posture and asking them to\nattempting to enter the building without an              not allow others to piggyback in to the building\nEPA badge. (from page 5 of draft report)                 once one person badges through a door. We\n                                                         will continue to inform our employees of these\n                                                         procedures through other means of\n                                                         communication.\n\nWith regard to: RTP Computer Room Visitor Identification:\n\nRecommendation 10: Coordinate with the                   Response: On 21 July 2005 OARM posted\napplicable program offices to consistently               access logs in each of the four computer rooms\nenforce policies and procedures that would               (C160, C131, C240 and N147) to include the\nrequire all visitors entering the computer room          main distribution facility (C160A). The policy\nin building C, to sign a visitor log which               was disseminated to system administrators via\nshould be maintained and kept on file. (from             email directing that all visitors escorted into\npage 6 of draft report)                                  server rooms and the MDF sign in and out of\n                                                         the rooms accordingly. Escorts are required to\n                                                         record their identification badge number by\n                                                         each of their visitor's information.\n\nRecommendation 11: Ensure the consistent                 Response: Though this recommendation is\nenforcement of policies and procedures that              made to OARM, the silo room in question is\nwould require all visitors entering the silo             operated by the NCC. This recommendation\nroom at the local storage facility to sign a             should be addressed by OEI-OTOP. OARM has\nvisitor log which should be maintained and               coordinated this finding with the appropriate\nkept on file. (from page 6 of draft report)              NCC personnel and has provided an electronic\n                                                         copy of its computer room access log\n                                                   33\n\n\x0c                                                        accordingly. OARM security will coordinate\n                                                        with the Director of OTOP to establish a\n                                                        procedure that would require everyone entering\n                                                        the silo room to sign a visitor log.\n\nWith regard to: Campus Visitor Identification:\n\nRecommendation 12: Issue guidance to remind             Response: Security into the RTP campus is\nthe security guards at RTP campus entrances to          based on a two tiered system. The first tier is a\ninspect the identification of all vehicles and          preliminary check at the gates. This check\nindividuals entering the campus. (from page 7           makes sure that each vehicle entering the RTP\nof draft report)                                        campus has an authorized vehicle pass. Visitors\n                                                        are issued a one day vehicle pass upon\n                                                        presenting proper identification. A more\n                                                        thorough security check is conducted during our\n                                                        second tier check. Each visitor is checked at\n                                                        the entrance to each of our main buildings.\n                                                        Visitors must go through a magnetometer and\n                                                        show proper identification prior to gaining\n                                                        entrance to our buildings.\n\nRecommendation 13: Ensure that guards check             Response: Our main security check is\nthat the removable parking passes correspond            conducted at the entrance to each one of our\nto the appropriate vehicle/individual. (from            buildings and not at the gates. The main reason\npage 7 of draft report)                                 is that the RTP campus has a very porous\n                                                        perimeter. The gates are the principle way to\n                                                        get into the campus but there are many ways to\n                                                        enter through the wooded areas surrounding the\n                                                        campus. Because of this, we conduct our\n                                                        personnel security checks at the entrance to our\n                                                        buildings. Delivery trucks are stopped by\n                                                        bollards and another security gate inside the\n                                                        main campus. This gate is also manned by a\n                                                        security guard. Delivery trucks are not allowed\n                                                        through the bollards until positive identification\n                                                        of the driver and the program expecting the\n                                                        delivery is made.\nRecommendation 14: Ensure that procedures               Response: Various checks have been conducted\nare consistently followed for verifying visitor         during conferences held at RTP to assure the\nidentification. (from page 7 of draft report)           correct visitor procedures are followed.\n\nRecommendation 15: Coordinate with other                Response: Coordination has been done via\nRTP program office to provide additional                various all hands memos informing them of a\nsecurity training to employees/contractors              heightened security posture and asking them to\naddressing good physical practices; such as             not allow others to \xe2\x80\x9cpiggyback\xe2\x80\x9d into the\n                                                  34\n\n\x0cchallenging persons whom are attempting to               building once one person badges through a\nenter the building without a RTP badge. (from            door. We will continue to inform our\npage 7 of draft report)                                  employees of these procedures through other\n                                                         means of communication.\n\nWith regard to the alternate processing site:\n\nRecommendation 16: We recommend that the                 Response: The Physical Security Assessment of\nDirector of OTOP and Director of OARM at                 the Research Triangle Park\xe2\x80\x99s (RTP) Main\nRTP coordinate to develop a strategic plan to            Campus Facility done in 2004 identified the\ndeploy security controls at the alternate                local processing site facility as a \xe2\x80\x9cLOW Threat\nprocessing site facility in the event of an              Level Facility\xe2\x80\x9d. Based on this finding, we\nemergency. Alternatively, the Director OTOP              decided to mitigate this risk by including some\nand the Director of OARM should coordinate               of these corrections in a future lease agreement.\nto accept the security risk of the facility, and         Additionally, we decided to \xe2\x80\x9caccept the risk\xe2\x80\x9d of\ndocument the risk in the facility security risk          not having a visitor control system in place.\nassessment. (from page 8 of draft report)                One of the many functions done at local\n                                                         processing site is the initial drop-off of all\n                                                         incoming mail and packages into our facilities.\n                                                         These items are then x-rayed at the warehouse\n                                                         before they are delivered to our other facilities\n                                                         by our contractor. Furthermore, deliveries to\n                                                         the local processing site are made by different\n                                                         companies and drivers each day. We chose to\n                                                         accept this risk in order to protect our main\n                                                         facilities from vulnerabilities from unknown\n                                                         deliveries.\n\n\n\nChapter 3: Service Continuity/Contingency Planning\n\nWith regard to: Environmental Controls:\n\nRecommendation 33: Install the equipment to              Response: In FY 2004 OARM installed water\nimplement necessary detective and preventive             detection sensors in all computer rooms (C160,\ncontrols such as the identification of shut off          C131, C240 and N147) as well as the main\nvalves for plumbing lines and water sprinklers,          distribution facility (C160A). Materials have\ninstallation of water detection equipment, and           been purchased and procedures are in place to\nthe development of water emergency                       drape plastic over the computer cabinets in each\nprocedures that deal with plumbing line                  server room should there be a water emergency.\nleakage and premature water release from                 OARM has installed a redundant Storage Area\nsprinklers. Alternatively, compensating                  Network that performs synchronous mirroring\ncontrols and related procedures, such as                 between appliances in Building C and the NCC.\nperiodic monitoring of the computer room by              OARM has offered this service to OCFO and\nsecurity guards, should be implemented. (from            the other campus program offices as a means of\n                                                   35\n\n\x0cpage 16 of draft report)         mitigating this water incident vulnerability.\n                                 The OARM LAN Manager monitors the\n                                 computer rooms through physical inspection of\n                                 each area. He tracks UPS Load, Humidity\n                                 Levels and Temperature as well as looks for\n                                 leaks in ceiling tile. The O&M contractor is\n                                 advised of any water present beneath the raised\n                                 floors and advises the OARM LAN Manager\n                                 accordingly. The OARM LAN Manager does\n                                 not recommend that Security Guards\n                                 (contractors) be allowed into computer rooms\n                                 or the MDF unescorted.\n\n                                 OIG (Cheryl Reid) visited computer rooms in\n                                 building C to verify that water detectors are in\n                                 fact installed beneath the raised floor. She has\n                                 seen the detectors that have been installed and\n                                 to the best of our knowledge we have satisfied\n                                 that portion of the recommendation. She\n                                 recommended that procedures be posted in each\n                                 room outlining our response actions to a water\n                                 leak incident. We have submitted and received\n                                 5 poster boards containing such procedures for\n                                 each computer room. Furthermore, we have\n                                 submitted the work order to identify the shut off\n                                 valves for the water sprinklers and plumbing\n                                 lines. The O&M contractor (CHI) is\n                                 responsible for those systems and would shut\n                                 off the appropriate valves in the event of any\n                                 water leaks. Finally, we provided OIG (Cheryl\n                                 Reid) a copy of reports substantiating our\n                                 periodic monitoring (weekly) of each computer\n                                 room. The report substantiates our response\n                                 that the computer rooms are being actively\n                                 monitored. In short, we have water detectors in\n                                 each computer room, we have posted\n                                 compensating procedures, as well as, perform\n                                 active monitoring of the computer rooms.\n\n\n\n\n                           36\n\n\x0c                                     Appendix F\n                Office of Research and Development\nDraft Report Responses from the Office of Research and Development (ORD)\n\n                                       November 4, 2005\n\n\nMEMORANDUM\n\nSUBJECT:       ORD Response to Draft OIG Report, Audit of Information System Service\n               Contingency/Continuity and Physical Access Controls of EPA=s Financial and\n               Mixed-Financial Systems that Reside at Research Triangle Park,\n               No. 2004-001383\n\nFROM:          George Gray /s/ Lek Kadeli for\n               Assistant Administrator (8101R)\n\nTO:            Rudolph M. Brevard\n               Acting Director, Business Systems Audits (2421T)\n\nPurpose\n\n      The purpose of this memorandum is to provide the Office of Research and\nDevelopment=s (ORD) comments on the subject draft OIG report.\n\nBackground/Discussion\n\n       The draft report dated September 13, 2005, noted several areas which needed\nimprovement. ORD took a proactive approach and immediate action to remedy those areas.\nSpecifically, the ORD Management Information System (OMIS) Contingency Plan (attached)\nwas revised as follows: (1) Appendix A, Personnel Contact List, was updated to include all\nbusiness, home, and cell phone numbers; and (2) Appendix D, Disaster Recovery Testing, was\nadded to include the type of test, test date, and the result. The revised OMIS Contingency Plan,\ndated September 26, 2005, was provided to the Office of Environmental Information on\nOctober 3, 2005 and to your staff on October 14, 2005.\n\n       It should be noted that the OMIS Contingency Plan clearly states that the database is\nexported nightly from Research Triangle Park, NC to our backup servers in Washington, DC. If\nthe contingency plan is put into effect, the Washington, DC servers would be converted to our\n\n\n\n\n                                               37\n\n\x0cproduction servers. We have successfully tested this Plan with the procedures outlined in\nAppendix C and documented it in Appendix D: Disaster Recovery Testing.\n\n        Detailed comments are attached that we believe will sharpen the quality and accuracy of\nthe draft report. Should you or your staff have questions or require further information, please\nhave them contact Cheryl Varkalis at 202-564-6688.\n\nAttachments (2)\n\ncc: \tLek Kadeli\n    Jack Puzak\n    Alice Sabatini\n    Amy Battaglia\n    Jorge Rangel\n    Tom Tracy\n    John Sykes\n    Cheryl Varkalis\n\n\n\n\n                                               38\n\n\x0c                                    ORD Comments\n                                           on\n                                OIG Draft Audit Report\n            Audit of Physical Access and Service Continuity/Contingency Controls for\nFinancial and Mixed-Financial Systems located at the Environmental Protection Agency=s\n                       (EPA=s) Research Triangle Park Campus\n\n\n1. On page 12 , paragraph 2, line 1, the draft report states:\n\nAIn reviewing the Office of Research and Development Management Information System\n(OMIS) contingency plan, we noted that the call tree within the contingency plan contains only\nbusiness phone numbers for essential personnel, and does not include the information that should\nbe relayed to critical personnel. In addition, we noted that the recovery operations sections of the\ncontingency plan does not adequately document the steps necessary to restore operations, and it\ndoes not appear that the contingency plan has been tested.@\n\nRESPONSE: We request this paragraph be deleted from the report, or the report adjusted to\nreflect actions already taken by ORD.\n\nDiscussion: Appendix A: Personnel Contact List, has been updated to include all business, home,\nand cell phone numbers. The steps necessary to restore operations are contained in Appendix C:\nOMIS Technical Disaster Recovery Procedures, which details all of the steps necessary to restore\noperations. This has been tested and noted in OMIS Contingency Plan Appendix D: Disaster\nRecovery Testing.\n\n2. On page 14, Recommendation 29, the draft report states:\n\nAWe recommend that the Director of OTOP work collaboratively with the Office of Research\nand Development to revisit:\n\n29) OMIS contingency plan and ensure that the call tree within the contingency plan contains\nhome phone numbers and cell phone numbers for essential personnel, and it also contains the key\ninformation that should be relayed to critical personnel. Further, the OMIS contingency plan\nshould document the steps necessary to restore operations, and should also be tested on a regular\nbasis.@\n\nRESPONSE: We request this paragraph be deleted from the report, or the report adjusted to\nreflect actions already taken by ORD.\n\n\n\n\n                                                 39\n\n\x0cDiscussion: Section 3.3, Activation, of the OMIS Contingency Plan, states the key information that\nis relayed to critical personnel. The steps to restore operations are documented in Appendix C.\nOMIS Disaster Recovery Testing is included in Appendix D. The most recent test was performed\nin August 2005; testing will be performed on an annual basis.\n\n3. On page 21, Appendix B, item 6, the draft report states:\n\nAOMIS is comprised of six independent modules. Only the Integrated Resource Management\nSystem (IRMS) and the Laboratory Implementation Plan (LIP) interface with IFMS. The real-time\ninterfaces are used to electronically transmit transactions (commitment and reprogramming) to\nIFMS. Extract files are created after the nightly IFMS close to bring down to IRMS the\napprovals/disapprovals of the reprogramming transactions as well as the operating plan,\ncommitments, obligations, and expenditures from the Suballowance Spending Control Inquiry\nTable (SASP) and General Ledger tables.\n\nRESPONSE: We request the following change to this portion of the draft report:\n\nOMIS is comprised of five independent modules. Only the Integrated Resource Management\nSystem (IRMS) interfaces with IFMS. The real-time interfaces are used to electronically transmit\ntransactions (commitment and reprogramming) to IFMS. Extract files are created after the nightly\nIFMS close to bring down to IRMS the approvals/disapprovals of the reprogramming transactions\nas well as the operating plan, commitments, obligations, and expenditures from the Suballowance\nSpending Control Inquiry Table (SASP) and General Ledger tables.\n\nDiscussion: The Laboratory Implementation Plan (LIP) has been retired and is no longer in production.\nThus, there are only five independent modules. References to the LIP should be removed.\n\n\n\n\n                                                  40\n\n\x0c                                     Appendix G \n\n        Office of Solid Waste and Emergency Response \n\n\nDraft Report Response from the Office of Solid Waste and Emergency Response (OSWER)\n\n                                       November 11, 2005\n\n\nMEMORANDUM\n\n\nSUBJECT: \t     OSWER Response to Draft Audit Report \xe2\x80\x9cAudit of Information System Service\n               Contingency\\Continuity and Physical Access Controls of EPA\xe2\x80\x99s Financial and\n               Mixed-Financial Systems that Reside at Research Triangle Park\xe2\x80\x9d\n               Assignment/Project No: 2004-001383\n\nFROM:\t         Barry N. Breen/s/\n               Deputy Assistant Administrator\n\nTO: \t          Rudolph M. Brevard\n               Acting Director, Business Systems Audits\n               Office of Inspector General\n\n       Thank you for the opportunity to respond to the draft audit report on Information System\nService Contingency and Physical Access Controls. We appreciate your efforts to hold\ninformational meetings to ensure clarity of your findings and recommendations and to give us an\nopportunity to recommend revisions. Our comment on the OIG recommendation is as follows:\n\nOIG Recommendation\n\n        We recommend that the Director of OTOP work collaboratively with the Office of Solid\nWaste and Emergency Response to revisit CERCLIS contingency plans and ensure that it\nidentifies critical resources; ensure that the recovery test addresses all elements of application\nrecovery; and ensure that contracts are in place for the restoration of the application.\n\nOSWER Response\n\n       We agree with the Office of Environmental Information\xe2\x80\x99s (OEI) October 21, 2005\nresponse regarding the recommendation. Over the past year, the Office of Superfund\nRemediation and Technology Innovation (OSRTI) has worked closely with RTP to centralize the\nCERCLIS Regional databases. Since then, the Contingency Plan for CERCLIS has been revised.\nFurthermore, a coordinated effort with RTP has taken place to perform a table-top review of the\n                                                41\n\n\x0cCERCLIS application. This review was conducted in September 2005. In complying with\nAgency standards, OSRTI has used the two NIST documents which focus specifically on COOP\nGuidance. The first Document is 800-84 Guide to Single-Organization IT Exercises describes\nthe procedures for the table-top review. The second guide, NIST 800-34, Contingency Planning\nGuide for Information Technology Systems describes in detail how to write a COOP Plan.\n\n       Please feel free to contact Robert King at 703.603.8792 or William Bushee at\n703.603.8963, if you have any questions or need additional information.\n\n\n\n\n                                              42\n\n\x0c                                     Appendix H \n\n                 Office of the Chief Financial Officer \n\nDraft Report Response from the Office of the Chief Financial Officer (OCFO)\n\n                                        October 13, 2005\n\n\nMEMORANDUM\n\n\nSUBJECT:       Office of the Chief Financial Officer (OCFO) Response to the Office of Inspector\n               General\xe2\x80\x98s (OIG) Information Technology Position Paper #2 \xe2\x80\x93 Internal Control \xe2\x80\x93\n               Compliance with Federal Guidelines, Fiscal Year 2005 Financial Statement Audit\n\nFROM:          Michael W. S. Ryan\n               Deputy Chief Financial Officer /s/\n\nTO:            Rudy Brevard\n               Acting Director, Business Systems Audits\n\n       We appreciate the opportunity to provide written comments on the subject Position\nPaper. The OCFO remains firmly committed to securing its systems and data in a cost effective\nmanner and in accordance with Federal guidance, EPA policy, and best practices.\n\n       If you or your staff have any questions or need additional information concerning our\nresponse to the subject Position Paper, contact Krista Mainess, Director of the Office of Program\nManagement, at 202-564-5903.\n\n\ncc:    P\n       \t aul Curtis, OIG\n       Bill Samuel, OIG\n\n\n\n\n                                               43\n\n\x0cOIG recommendations and corresponding OCFO responses are as follows:\n\nOIG Recommendation #1: Responsible office directors provide training to all application\nowners on the importance of developing, maintaining, and testing contingency plans in\naccordance with EPA and NIST guidelines and ensure the plans clearly define necessary\nrecovery steps for each application.\n\nOCFO Response to Recommendation #1:\nIn accordance with EPA requirements, OCFO mandates role-based training for employees with\nsignificant security responsibilities, which includes application owners. In addition, beginning in\nDecember 2005, the OCFO will conduct quarterly IT Security Council meetings for application\nowners.\n\nOIG Recommendation #2: Director, Office of Budget revise the BAS contingency plan to\ncontain (1) complete contact information for key personnel and (2) alternate processing and\nreturn to normal operations procedures.\n\nOCFO Response to Recommendation #2:\nWe will include additional contact information for key personnel in the BAS contingency plan.\nThe full record of contact information will include the individual\xe2\x80\x99s team position, name, home,\nwork, and pager numbers, and e-mail address. In addition, we will clearly state the procedures\nfor alternate processing and returning to normal operations.\n\nOIG Recommendation #3: Director, Office of Financial Services revise the CPS contingency\nplan to identify critical recovery requirements and alternate processing procedures.\n\nOCFO Response to Recommendation #3:\nThe critical recovery requirements and alternate processing procedures for CPS are provided in\nthe NCC/CPS Critical Applications Disaster Recovery Plan (Sixth Edition, Revision 6-5), dated\nFebruary 18, 2005.\n\nWe are providing the following document references for your consideration.\n  \xe2\x80\xa2 Critical Hardware:             Appendix C\n  \xe2\x80\xa2 Critical Software:             Appendix D\n  \xe2\x80\xa2 Telecommunications:            Section 4.6.9.2\n  \xe2\x80\xa2 Facilities:                    Section 5.0\n\n\nOIG Recommendation #4: Director, Office of Financial Services (OFS) revise contingency\nplan for People Plus to (1) contain primary and secondary personnel information consistent with\nthe Critical Applications Disaster Recovery Plan and (2) clearly describe which plan takes\nprecedence during the recovery process.\n\nOCFO Response to Recommendation #4:\nThe primary and secondary contacts for PeoplePlus are contained in both the OCFO COOP and\nCritical Applications Disaster Recovery Plan. The OCFO COOP takes affect if a failure occurs\n                                                44\n\n\x0cin the DC area, in accordance with the Agency\xe2\x80\x99s overall contingency plan. On the other hand,\nthe Critical Applications Disaster Recovery Plan takes affect if a failure occurs at RTP. We will\nensure the PPL contingency plan clearly states the order of precedence between itself and the\nCritical Applications Disaster Recovery Plan.\n\nOIG Recommendation #5: Director, Office of Financial Management (OFM) revise\ncontingency plans, for all of their applications not subscribing to the NCC DRS plan (e.g.\nFinancial Data Warehouse), in accordance with relevant Federal and EPA criteria and best\npractices.\n\nOCFO Response to Recommendation #5:\nWe are in the process of subscribing to the NCC Disaster Recovery Service for the Financial\nData Warehouse. In addition, we will revise the contingency plan for SCORPIOS in accordance\nwith relevant Federal and EPA criteria and best practices.\n\n\n\n\n                                               45\n\n\x0c"